Skip to content
Permalink
Browse files

Initial code add for the secret-sync-operator

  • Loading branch information...
jpapejr committed May 20, 2019
1 parent da0b5c9 commit 1c008f85a46ffac1d7595f8fc3d6cbe00836fc38

Large diffs are not rendered by default.

@@ -0,0 +1,75 @@
# Force dep to vendor the code generators, which aren't imported just used at dev time.
required = [
"k8s.io/code-generator/cmd/defaulter-gen",
"k8s.io/code-generator/cmd/deepcopy-gen",
"k8s.io/code-generator/cmd/conversion-gen",
"k8s.io/code-generator/cmd/client-gen",
"k8s.io/code-generator/cmd/lister-gen",
"k8s.io/code-generator/cmd/informer-gen",
"k8s.io/kube-openapi/cmd/openapi-gen",
"k8s.io/gengo/args",
"sigs.k8s.io/controller-tools/pkg/crd/generator",
]

[[override]]
name = "k8s.io/code-generator"
# revision for tag "kubernetes-1.13.1"
revision = "c2090bec4d9b1fb25de3812f868accc2bc9ecbae"

[[override]]
name = "k8s.io/kube-openapi"
revision = "0cf8f7e6ed1d2e3d47d02e3b6e559369af24d803"

[[override]]
name = "github.com/go-openapi/spec"
branch = "master"

[[override]]
name = "sigs.k8s.io/controller-tools"
version = "=v0.1.8"

[[override]]
name = "k8s.io/api"
# revision for tag "kubernetes-1.13.1"
revision = "05914d821849570fba9eacfb29466f2d8d3cd229"

[[override]]
name = "k8s.io/apiextensions-apiserver"
# revision for tag "kubernetes-1.13.1"
revision = "0fe22c71c47604641d9aa352c785b7912c200562"

[[override]]
name = "k8s.io/apimachinery"
# revision for tag "kubernetes-1.13.1"
revision = "2b1284ed4c93a43499e781493253e2ac5959c4fd"

[[override]]
name = "k8s.io/client-go"
# revision for tag "kubernetes-1.13.1"
revision = "8d9ed539ba3134352c586810e749e58df4e94e4f"

[[override]]
name = "github.com/coreos/prometheus-operator"
version = "=v0.29.0"

[[override]]
name = "sigs.k8s.io/controller-runtime"
version = "=v0.1.10"

[[constraint]]
name = "github.com/operator-framework/operator-sdk"
# The version rule is used for a specific release and the master branch for in between releases.
# branch = "master" #osdk_branch_annotation
version = "=v0.7.0" #osdk_version_annotation

[prune]
go-tests = true
non-go = true

[[prune.project]]
name = "k8s.io/code-generator"
non-go = false

[[prune.project]]
name = "k8s.io/gengo"
non-go = false
@@ -0,0 +1,15 @@
FROM registry.access.redhat.com/ubi7-dev-preview/ubi-minimal:7.6

ENV OPERATOR=/usr/local/bin/secret-sync-operator \
USER_UID=1001 \
USER_NAME=secret-sync-operator

# install operator binary
COPY build/_output/bin/secret-sync-operator ${OPERATOR}

COPY build/bin /usr/local/bin
RUN /usr/local/bin/user_setup

ENTRYPOINT ["/usr/local/bin/entrypoint"]

USER ${USER_UID}
@@ -0,0 +1,12 @@
#!/bin/sh -e

# This is documented here:
# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines

if ! whoami &>/dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-secret-sync-operator}:x:$(id -u):$(id -g):${USER_NAME:-secret-sync-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi

exec ${OPERATOR} $@
@@ -0,0 +1,13 @@
#!/bin/sh
set -x

# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
mkdir -p ${HOME}
chown ${USER_UID}:0 ${HOME}
chmod ug+rwx ${HOME}

# runtime user will need to be able to self-insert in /etc/passwd
chmod g+rw /etc/passwd

# no need for this script to remain in the image after running
rm $0
@@ -0,0 +1,125 @@
package main

import (
"context"
"flag"
"fmt"
"os"
"runtime"

// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
_ "k8s.io/client-go/plugin/pkg/client/auth"

"github.ibm.com/jtpape/secret-sync-operator/pkg/apis"
"github.ibm.com/jtpape/secret-sync-operator/pkg/controller"

// "github.com/operator-framework/operator-sdk/pkg/k8sutil"
"github.com/operator-framework/operator-sdk/pkg/leader"
"github.com/operator-framework/operator-sdk/pkg/log/zap"
"github.com/operator-framework/operator-sdk/pkg/metrics"
sdkVersion "github.com/operator-framework/operator-sdk/version"
"github.com/spf13/pflag"
"sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/manager"
logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
"sigs.k8s.io/controller-runtime/pkg/runtime/signals"
)

// Change below variables to serve metrics on different host or port.
var (
metricsHost = "0.0.0.0"
metricsPort int32 = 8383
)
var log = logf.Log.WithName("cmd")

func printVersion() {
log.Info(fmt.Sprintf("Go Version: %s", runtime.Version()))
log.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH))
log.Info(fmt.Sprintf("Version of operator-sdk: %v", sdkVersion.Version))
}

func main() {
// Add the zap logger flag set to the CLI. The flag set must
// be added before calling pflag.Parse().
pflag.CommandLine.AddFlagSet(zap.FlagSet())

// Add flags registered by imported packages (e.g. glog and
// controller-runtime)
pflag.CommandLine.AddGoFlagSet(flag.CommandLine)

pflag.Parse()

// Use a zap logr.Logger implementation. If none of the zap
// flags are configured (or if the zap flag set is not being
// used), this defaults to a production zap logger.
//
// The logger instantiated here can be changed to any logger
// implementing the logr.Logger interface. This logger will
// be propagated through the whole operator, generating
// uniform and structured logs.
logf.SetLogger(zap.Logger())

printVersion()

// namespace, err := k8sutil.GetWatchNamespace()
// if err != nil {
// log.Error(err, "Failed to get watch namespace")
// os.Exit(1)
// }

// Get a config to talk to the apiserver
cfg, err := config.GetConfig()
if err != nil {
log.Error(err, "")
os.Exit(1)
}

ctx := context.TODO()

// Become the leader before proceeding
err = leader.Become(ctx, "secret-sync-operator-lock")
if err != nil {
log.Error(err, "")
os.Exit(1)
}



// Create a new Cmd to provide shared dependencies and start components
mgr, err := manager.New(cfg, manager.Options{
Namespace: "",
MetricsBindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort),
})
if err != nil {
log.Error(err, "")
os.Exit(1)
}

log.Info("Registering Components.")

// Setup Scheme for all resources
if err := apis.AddToScheme(mgr.GetScheme()); err != nil {
log.Error(err, "")
os.Exit(1)
}

// Setup all Controllers
if err := controller.AddToManager(mgr); err != nil {
log.Error(err, "")
os.Exit(1)
}

// Create Service object to expose the metrics port.
_, err = metrics.ExposeMetricsPort(ctx, metricsPort)
if err != nil {
log.Info(err.Error())
}

log.Info("Starting the Cmd.")

// Start the Cmd
if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
log.Error(err, "Manager exited non-zero")
os.Exit(1)
}
}
@@ -0,0 +1,73 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: secret-sync-operator
namespace: default
imagePullSecrets:
- name: bluemix-default-secret
- name: bluemix-default-secret-regional
- name: bluemix-default-secret-international
- name: default-icr-io
- name: default-us-icr-io
- name: default-uk-icr-io
- name: default-de-icr-io
- name: default-au-icr-io
- name: default-jp-icr-io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-sync-operator
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["*"]
- apiGroups: [""]
resources: ["namespaces", "pods", "replicasets"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-sync-operator
subjects:
- kind: ServiceAccount
name: secret-sync-operator
namespace: default
roleRef:
kind: ClusterRole
name: secret-sync-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: secret-sync-operator
namespace: default
spec:
replicas: 1
selector:
matchLabels:
name: secret-sync-operator
template:
metadata:
labels:
name: secret-sync-operator
spec:
serviceAccountName: secret-sync-operator
containers:
- name: secret-sync-operator
image: us.icr.io/armada-sigex/secret-sync-operator:1.0
command:
- secret-sync-operator
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
value: ""
- name: OPERATOR_NAME
value: "secret-sync-operator"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
@@ -0,0 +1,31 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: secret-sync-operator
spec:
replicas: 1
selector:
matchLabels:
name: secret-sync-operator
template:
metadata:
labels:
name: secret-sync-operator
spec:
serviceAccountName: secret-sync-operator
containers:
- name: secret-sync-operator
# Replace this with the built image name
image: REPLACE_IMAGE
command:
- secret-sync-operator
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
value: ""
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "secret-sync-operator"
@@ -0,0 +1,47 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-sync-operator
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- "*"
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- "*"
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
- apiGroups:
- apps
resources:
- deployments/finalizers
resourceNames:
- secret-sync-operator
verbs:
- "update"

0 comments on commit 1c008f8

Please sign in to comment.
You can’t perform that action at this time.